Vulnerabilities > F5 > BIG IP Access Policy Manager

DATE CVE VULNERABILITY TITLE RISK
2021-02-12 CVE-2021-22975 Unspecified vulnerability in F5 products
On BIG-IP version 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, and 14.1.x before 14.1.3.1, under some circumstances, Traffic Management Microkernel (TMM) may restart on the BIG-IP system while passing large bursts of traffic.
network
low complexity
f5
7.5
2021-02-12 CVE-2021-22974 Race Condition vulnerability in F5 products
On BIG-IP version 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, and 13.1.x before 13.1.3.6 and all versions of BIG-IQ 7.x and 6.x, an authenticated attacker with access to iControl REST over the control plane may be able to take advantage of a race condition to execute commands with an elevated privilege level.
network
high complexity
f5 CWE-362
7.5
2021-02-12 CVE-2021-22973 Out-of-bounds Write vulnerability in F5 products
On BIG-IP version 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.5, and all 12.1.x versions, JSON parser function does not protect against out-of-bounds memory accesses or writes.
network
low complexity
f5 CWE-787
7.5
2020-12-24 CVE-2020-27729 Open Redirect vulnerability in F5 Big-Ip Access Policy Manager
In versions 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, 14.1.0-14.1.3, 13.1.0-13.1.3.4, 12.1.0-12.1.5.2, and 11.6.1-11.6.5.2, an undisclosed link on the BIG-IP APM virtual server allows a malicious user to build an open redirect URI.
network
low complexity
f5 CWE-601
6.1
2020-12-24 CVE-2020-27727 Improper Input Validation vulnerability in F5 products
On BIG-IP version 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, 14.1.0-14.1.3, and 13.1.0-13.1.3.4, when an authenticated administrative user installs RPMs using the iAppsLX REST installer, the BIG-IP system does not sufficiently validate user input, allowing the user read access to the filesystem.
network
low complexity
f5 CWE-20
4.9
2020-12-24 CVE-2020-27726 Cross-site Scripting vulnerability in F5 Big-Ip Access Policy Manager
In versions 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, 14.1.0-14.1.3, 13.1.0-13.1.3.4, and 12.1.0-12.1.5.2, a reflected cross-site scripting (XSS) vulnerability exists in the resource information page for authenticated users when a full webtop is configured on the BIG-IP APM system.
network
low complexity
f5 CWE-79
6.1
2020-12-24 CVE-2020-27723 Unspecified vulnerability in F5 Big-Ip Access Policy Manager
In versions 14.1.0-14.1.3 and 13.1.0-13.1.3.4, a BIG-IP APM virtual server processing PingAccess requests may lead to a restart of the Traffic Management Microkernel (TMM) process.
network
low complexity
f5
7.5
2020-12-24 CVE-2020-27722 Resource Exhaustion vulnerability in F5 Big-Ip Access Policy Manager
In BIG-IP APM versions 15.0.0-15.0.1.3, 14.1.0-14.1.3, and 13.1.0-13.1.3.4, under certain conditions, the VDI plugin does not observe plugin flow-control protocol causing excessive resource consumption.
network
low complexity
f5 CWE-400
6.5
2020-12-24 CVE-2020-27719 Cross-site Scripting vulnerability in F5 products
On BIG-IP 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, and 14.1.0-14.1.3, a cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility.
network
low complexity
f5 CWE-79
6.1
2020-12-24 CVE-2020-27716 Unspecified vulnerability in F5 Big-Ip Access Policy Manager
On versions 15.1.0-15.1.0.5, 14.1.0-14.1.3, 13.1.0-13.1.3.5, 12.1.0-12.1.5.2, and 11.6.1-11.6.5.2, when a BIG-IP APM virtual server processes traffic of an undisclosed nature, the Traffic Management Microkernel (TMM) stops responding and restarts.
network
low complexity
f5
7.5